Professional Documents
Culture Documents
1. Introduction
2. Scope
3. Reference
4. Definitions
“Audit” means systematic independent and documented process for obtaining audit
evidence and evaluating it objectively to determine the extent to which the audit criteria
are fulfilled. ISO 19011:2002
Note: For the purpose of these guidelines, “audit” means a regulatory audit.
“Regulatory audit” means the audit of a quality system is to demonstrate conformity with
a quality system standard and the relevant regulatory requirements.
“Audit evidence” means records, statements of fact or other information, which are
relevant to the audit criteria and verifiable. ISO 19011:2002
Note: Audit evidence may be qualitative and/or quantitative and is used to substantiate
audit observations
“Medical device” is defined in the national and regional regulations listed in Appendix 4
and the GHTF document SG 4/N28 R2: “Guidelines for Regulatory Auditing of quality
Systems of Medical Device Manufacturers – Part 1: General Requirements”.
“Process” means set of interrelated or interacting activities which transforms inputs into
outputs
“Regulatory requirement” means any part of a law, ordinance, decree or other
regulation, which applies to quality systems of medical device manufacturers.
Note: Guidelines, notes, draft documents, or the like should not be used as regulatory
documents and are not to be construed as such unless formally promulgated.
Conducting the regulatory audit, the quality management system of a medical device
manufacturer based on ISO 13485:2003: “Quality systems – Medical devices System
requirements for regulatory purposes” is checked with regard to conformity with the
quality system requirements and compliance with the relevant regulatory requirements.
iii) The key subsystems for addressing quality are the subsystems 1 to 5 identified in
Table 1. These should receive the primary focus of the audit. It may be appropriate to
treat the other subsystems as key subsystems in some situations. Examples for the
subsystem purchasing controls include:
A “virtual” Manufacturer who− contracts essential activities such as design and
production
A Manufacturer who contracts a sterilization process, or
A Manufacturer of high risk medical devices who purchases significant components
and subassemblies.
7.5.3 Auditing Approaches
i) There are different approaches to conducting a regulatory audit:
The “top-down” approach for conducting a regulatory audit begins with an evaluation
of the structure of the quality management system and its subsystems: management,
design control, technical files, production processes, and corrective and preventive
actions. Selected subsystems are reviewed to determine whether the manufacturer has
addressed the basic requirements by defining and documenting appropriate
procedures. It is important to check that a process approach is applied both in the
quality system and in each subsystem, e.g. by using a PDCA cycle (see Chapter 5.4).
With the “top-down” approach, the auditor will first confirm that the manufacturer has
established appropriate procedures and policies. Then the auditor will review evidence
including records to verify whether the manufacturer is implementing the procedures
and policies effectively and the quality system is in conformity with regulatory
requirements.
The advantage of this approach is a uniform approach for a systematic and transparent
regulatory audit process – both for the regulatory sides and the manufacturer.
The “bottom-up“ approach for a regulatory audit can have as a starting point a quality
problem; e.g., a medical device report of an adverse event or nonconforming product.
Thus, the auditor starts at the bottom and works his way through the manufacturer’s
quality system up to the management responsibility.
The advantage of this approach is a quick insight on the effectiveness of the selected
subsystems and processes that have been affected by the specific quality problem and
the cause(s) of the quality problem. The disadvantage of this approach is that it is very
difficult for the auditor to determine how effectively the complete quality system works.
ii) Depending on the purpose and trigger of an audit, an appropriate approach should
be selected. If there are no special events to be covered during the audit , the top-down
approach is preferred. An initial audit will normally follow a top-down approach. Audits
which include a potential significant safety issue will normally follow a bottom-up
approach.
i) Plan – Has the manufacturer established the objectives and processes to enable the
quality system to deliver the results in accordance with the regulatory requirements?
ii) Do – Has the manufacturer implemented the quality system and the processes?
iii) Check – Has the manufacturer checked process monitoring and measurement
results against the objectives and the regulatory requirements? Does the manufacturer
evaluate the effectiveness of the quality system periodically through internal audits and
management reviews?
iv) Act – Has the manufacturer implemented effective corrective and preventive
actions? Confirm that the company is committed to providing high quality safe and
effective medical devices, and that the company is conforming with applicable laws and
regulations.
These are generic questions that can be asked throughout the audit.
5.4. Sampling
In general there are two ways of sampling records for review which are useful in
regulatory audits risk based and statistical. Where possible, auditors should select
samples based on factors which are most likely to affect the safety of the patient. In this
situation sampling tables are not necessary. The auditor may however decide to select
a statistically valid sample. A sample can also be drawn using a combination of risk
based and statistical sampling.
The baseline includes time to prepare for the audit, preview the quality system
documentation and write the report. It does not consider the time required for design
dossier reviews, type examinations, pre-market approvals and other similar activities.
The baseline for initial audits should be adjusted to take into account the other types of
audits and the factors listed in Appendix 1 which may increase or decrease the
estimated audit duration, but only if these factors are required by the applicable
regulations.
Targeted onsite auditing time
The targeted on-site time to complete the initial auditing of the subsystems should be
based on the following dates given in Table 2:
5.7. Linkages
i) Although most of the auditor’s time will be spent on examining processes within the
sub-systems, it is important to remember that links exist between the sub-systems and
between different processes. Some of these links are less obvious than others, but
should be checked during the audit.
Examples: Link between corrective and preventive actions and management and
disseminating CAPA information to management for management review
ii) Design and development controls and purchasing controls: Design output used in
evaluating potential suppliers of components and assemblies and
communicating specified purchase requirement to that supplier.
iii) Within a process, the steps will normally be linked because the output from one
step will be the input to the next. During a process based audit, these links may be
picked up automatically by the auditor.
iv) There are also some obvious links between processes, e.g. the output from design
will be an input to production. These links need to be checked during both parts of the
audit (e.g. design and production) to verify that the link is working and the quality
system is working as a coherent whole.
v) There are other links which may be less obvious, but which still need to be audited,
e.g. if non-conforming product is seen in finished goods, did this problem originate in
stores, production, final inspection or design?
vi) There also are links between sub-systems, e.g. if faulty components arrive on the
production floor, was this caused by the supplier, receiving inspection, incorrect data to
the supplier or by design?
vii) In such instances, does the system require the manufacturer to always make a
CAPA report?
6. Auditing subsystems
There is a specific goal in auditing each subsystem. The plan for auditing each
subsystem should be process based (chapter 5.4) and should enable the goal to be
reached. This should include verifying conformance with the requirements which affect
each subsystem. For logistics see also chapter 5.7
Note 1: Numbers beneath each chapter refer to ISO 13485:2003
Note 2: Chapters marked with* are main subsystems and should receive a main focus
of the audit, if this is a regulatory requirement. See also chapter 5.2.
6.1. Management
GOAL: The purpose of the management subsystem audit is to evaluate whether top
management ensures that an adequate and effective quality system has been
established and maintained.
Major Steps: The following major steps serve as a guide in the audit of the
“Management“ subsystem:
i) ISO 13485:2003: 4.1, 4.2 – Verify that a quality manual, management review and
quality audit procedures, quality plan, and quality system procedures and instructions
have been defined and documented.
ii) ISO13485:2003: 5.3, 5.4 – Verify that a quality policy and objectives have been
defined and documented and steps taken to achieve them.
iii) ISO 13485:2003: 5.1, 5.5.1, 5.5.2, 6.1, 6.2 – Review the manufacturer‘s established
organizational structure to verify that it includes provisions for responsibilities,
authorities (e.g. management representative), resources, competencies and training
iv) ISO 13485:2003: 5.6 – Verify that management reviews, including a review of the
suitability and effectiveness of the quality system, are being conducted.
v) ISO 13485:2003: 8.2.2 – Verify that internal audits of the quality system are being
conducted including verification of corrective and preventive actions.
In conclusion of the audit of the other subsystems a decision should be made as to
whether top management has taken the appropriate actions to ensure a suitable and
effective quality system is in place.